CN107113278B

CN107113278B - The method, apparatus and system that neighbours establish

Info

Publication number: CN107113278B
Application number: CN201580062748.7A
Authority: CN
Inventors: 唐治宇; 侯文霞; 张旭东
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2015-07-29
Filing date: 2015-07-29
Publication date: 2019-10-22
Anticipated expiration: 2035-07-29
Also published as: US20180152355A1; US10447549B2; CN107113278A; WO2017015899A1; EP3319286A4; EP3319286B1; EP3319286A1

Abstract

The embodiment of the invention discloses the method, apparatus and system that a kind of neighbours establish, the case where this method enables certification according to first network equipment and second network equipment, corresponding authentication information is added in the message sent mutually, HELLO message is sent from first network equipment to second network equipment, HELLO message is received by second network equipment and is authenticated, after certification passes through, HELLO message described in the UDL LSP message response by extension；The UDL LSP message of the extension is received by first network equipment again and is authenticated, when authentication result is that the first network equipment and second network equipment enable certification and certification passes through, neighborhood between the two can be established.By the above process, only one end certification security reliability when LA Management Room establishes neighbours to overcome the problems, such as to authenticate when neighbours establish incomplete, can be improved by the case where also can establish neighborhood appearance.

Description

The method, apparatus and system that neighbours establish

Technical field

The present invention relates to technical field of the computer network, more specifically, it relates to the method for neighbours' foundation, equipment and are System.

Background technique

(Integrated Intermediate System-to-Intermediate System, intermediate system arrive ISIS Intermediate system) agreement is a kind of traditional link-state protocol, based on being established between each equipment of ISIS agreement by HELLO message With maintenance of neighbor relationship.In the establishment process of neighborhood, malicious attack in order to prevent, ISIS message uses authentication mechanism, In the case where enabled certification, the both sides for establishing neighbours must carry the TLV (type- for being used for certification in HELLO message Length-value, message format value), certification is by just allowing to establish ISIS neighbours.

It is under normal conditions diconnected between two network equipments of ISIS network, in some scenarios, wherein one The physical link in a direction is obstructed, and both sides can enter unilaterally connected scene, and the scene is defined in unidirectional ISIS agreement, such as Fruit is at this time between both sides there are other non-straight access paths, can on the non-straight access path by way of transmitting neighbor information, Two network equipment both sides are allowed to continue to establish and maintain neighborhood.But when the two connected by one way link One end of the network equipment enables authentication function, and when the other end is not enabled on authentication function, also neighborhood can be normally established, from And introduce backfence security risk.

Summary of the invention

In view of this, the method, apparatus and system for being designed to provide neighbours' foundation of the embodiment of the present invention, existing to overcome Have in technology in the case of unidirectional links, LA Management Room carries out neighbours and authenticates when establishing imperfect, causes to introduce between neighbours Security risk problem.

To achieve the above object, the embodiment of the present invention provides the following technical solutions:

First aspect of the embodiment of the present invention discloses a kind of method that neighbours establish, this method comprises:

First network equipment sends HELLO message, the HELLO message to second network equipment by the first one way link Middle the first authentication information carried for authenticating the first network equipment, first one way link are from the first network Direct connected link of the equipment to second network equipment；

The first network equipment receives the unidirectional of the extension from second network equipment by the second one way link Link UDL link state packet LSP message, the UDL LSP message of the extension is for HELLO message described in response, described the In the case where the enabled certification of two network equipments, the UDL LSP message of the extension is carried for authenticating second network equipment The second authentication information, second one way link be from second network equipment to the indirectly connected of the first network equipment Link；

The first network equipment executes the certification to the UDL LSP message of the extension, when authentication result is described the One network equipment and second network equipment enable certification and certification passes through, the first network equipment establish with it is described Neighborhood between second network equipment.

In the first implementation of first aspect of the embodiment of the present invention, the first network equipment is executed to the expansion The certification of the UDL LSP message of exhibition, comprising:

The first network equipment extract carried in the UDL LSP message of the extension for authenticating second network Second authentication information of equipment is authenticated；When certification be it is legal, obtain the first network equipment and second network set The standby authentication result for enabling certification and certification and passing through.

In second of implementation of first aspect of the embodiment of the present invention, the first network equipment is unidirectional by first Second network equipment of chain road direction is sent after HELLO message, further includes:

In the case where second network equipment is not enabled on certification, the first network equipment is unidirectional by described second Link receives the one way link UDL link state packet LSP message from second network equipment, and the UDL LSP message is used The HELLO message described in response, the UDL LSP message do not carry the second certification letter for authenticating second network equipment Breath, second one way link are from second network equipment to the non-straight connected link of the first network equipment；Described One network equipment executes the certification to the UDL LSP message, carries when not examining in the UDL LSP message for authenticating When the second authentication information of second network equipment, the neighborhood between second network equipment is not established.

It is described for authenticating second network equipment in the third implementation of first aspect of the embodiment of the present invention The second authentication information include: the authentication information of radio network or the authentication information of Peer-to-Peer Network P2P；

The format of the authentication information of the radio network successively includes following field: the Type for stored messages type Type Field, for the Length field of stored messages length Length, for storing local expanded circuit mark Extended The Extended Local Circuit id field of Local Circuit ID is used for authentication storage type The Authentication the type field of Authentication Type and be used for authentication storage information Authentication The Authentication Value field of Value；

The format of the authentication information of the P2P successively includes following field: the Type word for stored messages type Type Section, for the Length field of stored messages length Length, for storing neighbours link identification Neighbor LAN ID's Neighbor LAN id field, the Authentication Type for authentication storage type Authentication Type Field and Authentication Value field for authentication storage information Authentication Value.

Second aspect of the embodiment of the present invention discloses a kind of network equipment, is used as first network equipment, comprising:

Communication unit, for sending HELLO message, the HELLO report to second network equipment by the first one way link It carries the first authentication information for authenticating first network equipment in text, and is received by the second one way link from described the The link state packet LSP message of the one way link UDL of the extension of two network equipments, the UDL LSP message of the extension is for answering The HELLO message is answered, in the case where second network equipment enabled certification, the UDL LSP message of the extension is carried For authenticating the second authentication information of second network equipment, first one way link is from first network equipment to described The direct connected link of second network equipment, second one way link are from second network equipment to the first network equipment Non-straight connected link；

Processor, for executing the certification to the UDL LSP message of the extension, when authentication result is the first network Equipment and second network equipment enable certification and certification passes through, and establish the first network equipment and second net The neighborhood of network equipment.

In the first implementation of second aspect of the embodiment of the present invention, the UDL for executing to the extension The processor of the certification of LSP message, comprising:

The processor, carry in the UDL LSP message for extracting the extension for authenticating second network Second authentication information of equipment is authenticated；When certification be it is legal, obtain the first network equipment and second network set The standby authentication result for enabling certification and certification and passing through.

In second of implementation of second aspect of the embodiment of the present invention, certification is not enabled in second network equipment In the case where, further includes:

The communication unit, for receiving the unidirectional chain from second network equipment by second one way link Road UDL link state packet LSP message, the UDL LSP message is for HELLO message described in response, and the UDL LSP message is not The second authentication information for authenticating second network equipment is carried, second one way link is to set from second network The standby non-straight connected link for arriving the first network equipment；

The processor, for executing the certification to the UDL LSP message, when not examining the UDL LSP message In when carrying the second authentication information for authenticating second network equipment, do not establish between second network equipment Neighborhood.

The third aspect of the embodiment of the present invention discloses a kind of method that neighbours establish, this method comprises:

Second network equipment receives the HELLO message from first network equipment, the HELLO by the first one way link The first authentication information for authenticating the first network equipment is carried in message, first one way link is from described first Direct connected link of the network equipment to second network equipment；

In the case where second network equipment enabled certification, second network equipment passes through the described first unidirectional chain Road receives the HELLO message and is simultaneously authenticated, and when certification passes through, is sent out by the second one way link to the first network equipment The one way link UDL link state packet LSP message of extension is sent, the UDL LSP message of the extension is for the report of HELLO described in response Text, the UDL LSP message of the extension carries the second authentication information for authenticating second network equipment, by described first The network equipment executes the certification to the UDL LSP message of the extension, and is the first network equipment and institute in authentication result State second network equipment enable certification and certification pass through in the case where, establish and the first network equipment between neighbours Relationship；

Second one way link is from second network equipment to the non-straight connected link of the first network equipment.

In the first implementation of the third aspect of the embodiment of the present invention, further includes:

In the case where second network equipment is not enabled on certification, second network equipment is unidirectional by described second First network equipment described in chain road direction sends one way link UDL link state packet LSP message, does not take in the UDL LSP message Band is executed by the first network equipment to the UDL LSP for authenticating the second authentication information of second network equipment The certification of message, and do not examine in the UDL LSP message and carried for authenticating described second in the first network equipment In the case where second authentication information of the network equipment, the neighborhood between the first network equipment is not established.

In second of implementation of the third aspect of the embodiment of the present invention, in the enabled certification of second network equipment In the case of, second network equipment receives the HELLO message by first one way link and is authenticated, comprising:

Second network equipment receives the carrying for authenticating the first network by first one way link The HELLO message of first authentication information of equipment extracts first authentication information and authenticates to the HELLO message；

When certification be it is legal, confirmation certification passes through；

It is illegal when authenticating, then confirm that certification does not pass through, then the neighbours not established between the first network equipment are closed System.

In the third implementation of the third aspect of the embodiment of the present invention, certification is enabled in second network equipment, In the case that the first network equipment is not enabled on certification, further includes:

Second network equipment receives not the carrying for first network equipment transmission by the first one way link and is used for It authenticates the HELLO message of the first authentication information of the first network equipment and authenticates, believe when not extracting first certification When breath, confirmation certification does not pass through, abandons the HELLO message.

In the 4th kind of implementation of the third aspect of the embodiment of the present invention, second one way link that passes through is to described One network equipment sends the one way link UDL link state packet LSP message of extension, and the UDL LSP message of the extension is for answering The HELLO message is answered, the UDL LSP message of the extension carries the second certification letter for authenticating second network equipment Breath, comprising:

Second authentication information is added in the UDL LSP message of the extension by second network equipment, and is led to Cross the UDL LSP message that second one way link sends the extension to the first network equipment；

Or, second authentication information is added to the UDL of the extension by second network equipment using cipher mode In LSP message, and the UDL LSP message of the extension is sent by second one way link to the first network equipment.

In the 5th kind of implementation of the third aspect of the embodiment of the present invention, the second certification letter of second network equipment Breath includes: the authentication information of radio network or the authentication information of Peer-to-Peer Network P2P；

Fourth aspect of the embodiment of the present invention discloses a kind of network equipment, is used as second network equipment, comprising:

Communication unit, it is described for receiving the HELLO message that first network equipment is sent by the first one way link Carry the first authentication information for authenticating the first network equipment in HELLO message, first one way link is from institute State first network equipment to second network equipment direct connected link；

Processor is used in the case where second network equipment enabled certification, to carrying for authenticating described first The HELLO message of first authentication information of the network equipment is authenticated, when certification passes through, by the second one way link to institute The one way link UDL link state packet LSP message that first network equipment sends extension is stated, the UDL LSP message of the extension is used The UDL LSP message carrying of the HELLO message described in response, the extension is recognized for authenticating the second of second network equipment Information is demonstrate,proved, the certification to the UDL LSP message of the extension is executed by the first network equipment, and be described in authentication result In the case that first network equipment and second network equipment enable certification and certification passes through, establish and first net Neighborhood between network equipment；

In the first implementation of fourth aspect of the embodiment of the present invention, certification is not enabled in second network equipment In the case where, further includes:

The processor, for sending one way link UDL to the first network equipment by second one way link Link state packet LSP message does not carry the second certification letter for authenticating second network equipment in the UDL LSP message Breath executes the certification to the UDL LSP message by the first network equipment, and does not examine in the first network equipment In the case where carrying the second authentication information for authenticating second network equipment in the UDL LSP message, do not establish with Neighborhood between the first network equipment.

It is described for carrying for authenticating described the in second of implementation of fourth aspect of the embodiment of the present invention The processor that the HELLO message of first authentication information of one network equipment is authenticated, comprising:

The processor, for extracting the HELLO carried for authenticating the first authentication information of the first network equipment First authentication information in message authenticates the HELLO message using first authentication information；When certification is Legal, confirmation certification passes through；When authenticate it is illegal, then confirm certification do not pass through, then do not establish with the first network equipment it Between neighborhood.

In the third implementation of fourth aspect of the embodiment of the present invention, certification is enabled in second network equipment, In the case that the first network equipment is not enabled on certification, further includes:

The communication unit, for receiving the HELLO that the first network equipment is sent by first one way link Message does not carry the first authentication information for authenticating the first net equipment, the first unidirectional chain in the HELLO message Direct connected link of the first network equipment described in Lu Weicong to second network equipment；

The processor, for the HELLO for not carrying the first authentication information for authenticating the first network equipment Message is authenticated, and when not extracting first authentication information, confirmation certification does not pass through, abandons the HELLO message.

In the 4th kind of implementation of fourth aspect of the embodiment of the present invention, second one way link that passes through is to described One network equipment sends the one way link UDL link state packet LSP message of extension, and the UDL LSP message of the extension is for answering The HELLO message is answered, the UDL LSP message of the extension carries the second certification letter for authenticating second network equipment The processor of breath, comprising:

The processor for being added to second authentication information in the UDL LSP message of the extension, and passes through Second one way link sends the UDL LSP message of the extension to the first network equipment, or, described second is authenticated Information is added in the UDL LSP message of the extension using cipher mode, and by second one way link to described the One network equipment sends the UDL LSP message of the extension.

The 5th aspect of the embodiment of the present invention discloses a kind of system that neighbours establish, which includes: aforementioned present invention reality The disclosed network equipment for being used as first network equipment of a second aspect is applied, embodiments of the present invention fourth aspect is disclosed to be used Make the network equipment of second network equipment, and the physics chain of connection the first network equipment and second network equipment Road, the physical link include the first one way link from the first network equipment to second network equipment, and, from For second network equipment to the second one way link of the first network equipment, first one way link is direct connected link, Second one way link is non-straight connected link.

It can be seen via above technical scheme that compared with prior art, the embodiment of the invention discloses a kind of neighbours foundation Method, apparatus and system.When detecting that one end physical link is in an off state by link state, it is specified that when neighbours are double The case where side enters behavior when UDL scene, and this method carries out enabled certification according to first network equipment and second network equipment, Corresponding authentication information is added in the message sent mutually, if both sides enable certification, wherein by first network equipment HELLO message is sent to second network equipment, received HELLO message by second network equipment and is authenticated, certification is worked as By rear, the UDL LSP of the extension of second authentication information of second network equipment by carrying for authenticating second network equipment HELLO message described in message response；Then, then the UDL LSP message of the extension is received by first network equipment and is recognized Card, it is described when authentication result is that the first network equipment and second network equipment enable certification and certification passes through Neighborhood can be established between first network equipment and second network equipment.Disclosed this kind of side through the embodiment of the present invention Method can be avoided only one end certification and pass through the case where also can establish neighborhood appearance, thus certification when neighbours being overcome to establish Incomplete problem improves security reliability when LA Management Room establishes neighbours.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is only the embodiment of the present invention, for this field For those of ordinary skill, without creative efforts, it can also be obtained according to the attached drawing of offer other attached Figure.

Fig. 1 is the physical link schematic diagram that the end IS-T in the prior art and the end IS-R of the invention carry out neighbours' foundation；

Fig. 2 is a kind of flow chart of neighbours' method for building up disclosed in the embodiment of the present invention one；

Fig. 3 is a kind of flow chart of neighbours' method for building up disclosed in the embodiment of the present invention two；

Fig. 4 is a kind of flow chart of neighbours' method for building up disclosed in the embodiment of the present invention three；

Fig. 5 is the form schematic diagram of the authentication information of radio network disclosed by the embodiments of the present invention；

Fig. 6 is the form schematic diagram of the authentication information of Peer-to-Peer Network P2P disclosed by the embodiments of the present invention；

Fig. 7 is a kind of flow chart of neighbours' method for building up disclosed in example one of the present invention；

Fig. 8 is a kind of flow chart of neighbours' method for building up disclosed in example two of the present invention；

Fig. 9 is a kind of flow chart of neighbours' method for building up disclosed in example three of the present invention；

Figure 10 establishes the structural schematic diagram of system for a kind of neighbours disclosed in the embodiment of the present invention three.

Specific embodiment

For the sake of quoting and understanding, hereafter used in technical term explanation, write a Chinese character in simplified form or abridge and be summarized as follows:

ISIS:Integrated Intermediate System-to-Intermediate System, intermediate system arrive Intermediate system；

UDL:Unidirectional Links, one way link；

IS-T:The IS at The Transmit End of A UDL Link, the originator router of one way link；

IS-R:The IS at The Receive End of A UDL Link, the receiving end router of one way link；

HELLO message, for establishing and safeguarding IS-IS syntople, wherein router is regular with the hello interval time Hello data packet is sent to adjacent router；

Common message format value in the network TLV:type-length-value, ISIS, is often referred to routing information Optional variable-length field, for type field for storing type of message, length field is used to store the length of message, type field Usually fixed with the length of length field, value field is used to store the particular content of message, and length is variable, may include The field of one or more TLV types；

SUB TLV: each subtype, subtype report can be divided into the value field in TLV according to similar format The length of text and the content field of subtype message, SUB type, SUB value length and SUB value field are referred to as SUB TLV, wherein SUB-type shows the type of SUB value field, and SUB value length shows SUB value word Length of the section as unit of byte, SUB value show the protocol contents of SUB TLV field；

LSP:Link-State Packet, link state packet；

UDL TLV:The TLV With UDL Infomation carries the TLV of UDL information；

UDL LSP:The LSP with UDL-TLV carries the LSP of UDL TLV.

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment belongs to the range of protection of the embodiment of the present invention.

It can be seen from background technology that in the prior art, such as unidirectional ISIS agreement takes UDL LSP by defining UDL LSP With neighbor information by the end IS-R as shown in Figure 1, the end physical link R3, R4, R5 and IS-T, the neighbor information of IS-R is flooded To IS-T, make to establish neighborhood between IS-T and IS-R.In the prior art, under UDL scene, pass through UDL LSP in IS-R Neighbor information is carried into back IS-T, is currently based on the list for IS-T for unidirectional ISIS agreement when IS-T is checked To ISIS agreement, it is only checked and is authenticated to the LSP transmitted in one way link, without further to response message The whether enabled certification in the port IS-R of information is checked, if LSP certification passes through, that is, allows the neighbours between IS-T and IS-R It establishes.

That is, existing in the prior art under the scene of one way link UDL when interface of the UDL at the end IS-T makes Can certification, and when the interface at the end IS-R is not enabled on certification, do not allow the neighbours between IS-T and IS-R to establish originally, normally yet The case where establishing, to introduce backfence security risk.

Therefore, it the embodiment of the invention provides the method, apparatus and system that neighbours establish, discloses through the embodiment of the present invention This kind of method, the case where enabled certification is carried out according to first network equipment and second network equipment, mutually respectively by not With the message that sends of one way link in add corresponding authentication information, can be avoided only one end also can establish by certification it is double The case where square neighborhood, occurs, and incomplete problem is authenticated when neighbours establish to overcome, and improves and establishes between router Security reliability when neighbours.Detailed process is described in detail by following present invention embodiment.

Embodiment one

As shown in Fig. 2, for the flow chart for a kind of method that neighbours establish disclosed in the embodiment of the present invention one, in neighbours both sides Into in the case of UDL scene, mainly comprise the steps that

Step S101, first network equipment send HELLO message to second network equipment by the first one way link；

In step s101, which passes through the HELLO that the first one way link is sent to second network equipment Message carries the first authentication information TLV for authenticating the first network equipment in the HELLO message.Wherein, described first is single It is from the first network equipment to the direct connected link of second network equipment to link.

Wherein, the first network equipment mentioned in the embodiment of the present invention and second network equipment can be router, exchange The network equipments such as machine.

Step S102, the first network equipment receive second network equipment and send extension by the second one way link UDL LSP message, the UDL LSP message of the extension is for HELLO message described in response；

In step s 102, second network equipment receives HELLO message by the first one way link, and is made according to itself Energy authentication scenario, the UDL LSP message of response HELLO message is sent by the second one way link to first network equipment.Wherein, Second one way link is from second network equipment to the non-straight connected link of the first network equipment.

The UDL LSP message refers to the link state packet LSP for carrying UDL TLV, comprising sending out to the first network equipment The neighbor information sent；The UDL TLV refers to the authentication information TLV for carrying one way link UDL information, adds in the UDL TLV Add the second authentication information SUB TLV for authenticating second network equipment, whether is made with second network equipment It can authenticate related.

When the enabled certification of second network equipment, then add, it is on the contrary then do not add.

That is, in the case where the enabled certification of second network equipment, first network equipment is received in step S102 Second network equipment is by the UDL LSP message for HELLO message described in response that the second one way link is sent, extension UDL LSP message, the UDL LSP message of the extension carry the second authentication information SUB for authenticating second network equipment TLV。

Step S103, the first network equipment execute the certification to the UDL LSP message of the extension, work as authentication result Certification is enabled for the first network equipment and second network equipment and certification passes through, and the first network equipment is built Neighborhood between vertical and described second network equipment.

In step s 103, for obtained authentication result, if the authentication result is first network equipment and the second network Equipment enables certification and certification passes through, then first network equipment can establish the neighborhood between second network equipment, In such a way that both ends enable certification and authenticate through the rear neighborhood established between the two, it is enabled to avoid only one end Certification authenticates incomplete ask to overcome by the case where also can establish both sides' neighborhood appearance when neighbours establish Topic, improves security reliability when LA Management Room establishes neighbours.

Embodiment two

As shown in figure 3, the flow chart for the method established for another kind neighbours disclosed in the embodiment of the present invention two, double in neighbours Side enters in the case of UDL scene, mainly comprises the steps that

Step S201, second network equipment receive the HELLO message from first network equipment by the first one way link, The first authentication information TLV for authenticating the first network equipment is carried in the HELLO message；

In step s 201, first one way link is from the first network equipment to second network equipment Direct connected link.

Step S202, in the case where second network equipment enabled certification, second network equipment passes through described First one way link receives the HELLO message and is simultaneously authenticated, when certification passes through, by the second one way link to described first The network equipment sends the UDL LSP message of extension, and the UDL LSP message of the extension is described for HELLO message described in response The UDL LSP message of extension carries the second authentication information SUB-TLV for authenticating second network equipment.

In step 202, the UDL LSP message of the extension is sent to by second network equipment by the second one way link After first network equipment, the certification to the UDL LSP message of the extension is executed by the first network equipment, and tie in certification Fruit is to establish and institute in the case that the first network equipment and second network equipment enable certification and certification passes through State the neighborhood between first network equipment.

Wherein, second one way link is from second network equipment to the indirectly connected chain of the first network equipment Road.

The UDL LSP message of the extension refers to the link state packet LSP for carrying the UDL TLV, includes to described first The neighbor information that the network equipment is sent；The UDL-TLV refers to the authentication information TLV for carrying one way link UDL information, described the In the case where the enabled certification of two network equipments, second for authenticating second network equipment is added in the UDL TLV Authentication information SUB TLV.

It is logical to receive first network equipment in second network equipment for the method that neighbours disclosed in the embodiment of the present invention establish After crossing the HELLO message of the first one way link transmission, in the case where oneself having enabled to authenticate, confirmation first network equipment also makes After capable of authenticating and passing through certification, the second certification letter for carrying oneself is sent to the first network equipment by the second one way link Cease the UDL LSP message of the extension of SUB-TLV.It is authenticated by UDL LSP message of the first network equipment to the extension, if The authentication result is first network equipment and second network equipment enables certification and certification passes through, then second network equipment can With the neighborhood established between first network equipment, enabled by both ends certification and certification pass through after establish between the two Neighborhood mode, avoid the enabled certification in only one end by the case where also can establish both sides' neighborhood appearance, from And the incomplete problem that authenticates when neighbours establish is overcome, improve security reliability when LA Management Room establishes neighbours.

Embodiment three

As shown in figure 4, the flow chart for the method established for a kind of neighbours disclosed by the embodiments of the present invention, when neighbours both sides into In the case where behavior when entering UDL scene, mainly comprise the steps that

Step S301, first network equipment send HELLO message to second network equipment by the first one way link；

In step S301, pass through the HELLO that the first one way link is sent to second network equipment in first network equipment In message, if carry the first authentication information TLV for authenticating the first network equipment and the first network equipment Whether enabled certification is associated；

When the enabled certification of the first network equipment, then make to carry in the HELLO message for authenticating first net First authentication information TLV of network equipment；

When the first network equipment is not enabled on certification, then make not carried in the HELLO message for authenticating described First authentication information TLV of one network equipment.

Step S302, if second network equipment passes through institute in the case where second network equipment enabled certification It states the first one way link to receive the HELLO message and authenticated, when certification passes through, second network equipment passes through second One way link sends the UDL LSP message of extension to the first network equipment, and the UDL LSP message of the extension is used for response The HELLO message；The UDL LSP message of the extension carries the second certification letter for authenticating second network equipment Breath does not pass through when authenticating, then abandons the HELLO message；

During executing step S302, at this time if the enabled certification of second network equipment, second network equipment It receives the HELLO message and is authenticated, the process of the certification refers to that the first authentication information TLV of extraction is whole to HELLO message Body is authenticated, and is passed through when judging that legal confirmation authenticates, second network equipment passes through the second one way link to described first The network equipment sends the UDL LSP message of the extension of HELLO message described in response, carries and uses in the UDL LSP message of the extension In the second authentication information SUB TLV for authenticating second network equipment；When certification does not pass through or do not extract the first authentication information TLV integrally authenticates HELLO message, then second network equipment directly abandons the HELLO message, will not set to first network Preparation send any response message, and establishes without the neighbours of second network equipment and first network equipment；

At this time if second network equipment is not enabled on certification, sent out by the second one way link to the first network equipment UDL LSP message is sent, does not carry the second authentication information SUB TLV for authenticating second network equipment in the UDL LSP message.

In step s 302, the UDL LSP message refers to the link state packet LSP for carrying the UDL TLV, includes to institute State the neighbor information of first network equipment transmission；The UDL TLV refers to the authentication information TLV for carrying one way link UDL information, institute It whether states in UDL LSP added with the authentication information SUB TLV and second network for authenticating second network equipment Whether enabled equipment certification be associated；When the enabled certification of second network equipment, then add in the UDL TLV for recognizing The the second authentication information SUB TLV for demonstrate,proving second network equipment, is extended the UDL LSP message, is expanded UDL LSP message；

When second network equipment is not enabled on certification, then do not add in the UDL TLV for authenticating described second Second authentication information SUB-TLV of the network equipment, does not extend the UDL LSP message.

Step S303, the first network equipment receive the UDL LSP of the extension by the second one way link and execute Certification, when authentication result is that the first network equipment and second network equipment enable certification, and certification passes through, and builds Found the neighborhood of the first network equipment Yu second network equipment.

In step S303, the first network equipment receives the UDL LSP message of extension by the second one way link Afterwards, the UDL LSP message of the extension is authenticated, it, will also be to UDL other than the certification of the defined LSP of agreement itself TLV is authenticated；In the case where enabled certification, if the first network equipment is to the UDL LSP message authentication of the extension Pass through, determines the enabled certification of the first network equipment and second network equipment and certification passes through, the first network Equipment establishes the neighborhood between second network equipment.

Wherein, the process of the certification refers to that is carried in the UDL LSP message for extract the extension is used to authenticate the second net Second authentication information SUB TLV of network equipment integrally authenticates the UDL TLV.

During executing step S303, enables and recognize in the first network equipment and second network equipment Card, and confirm that certification passes through, allow first network equipment and second network equipment to establish neighborhood.

The method that neighbours disclosed in the embodiment of the present invention establish, by according to first network equipment and second network equipment The case where carrying out enabled certification adds corresponding authentication information in the message sent by different one way links mutually, especially It is to detect that one end physical link is in an off state in current link conditions, using added with for authenticating described second HELLO message transmitted by the extension UDL LSP response first network equipment of second authentication information SUB TLV of the network equipment； In the interactive process that first network equipment and second network equipment are mutually shaken hands, the expansion is received in first network equipment It after the UDL LSP message of exhibition, is authenticated, when authentication result is that the first network equipment and second network equipment make Can certification and certification pass through, then establish the neighborhood of the first network equipment Yu second network equipment.Pass through this This kind of method disclosed in inventive embodiments can be avoided in the enabled certification of both-end, and only one end certification is by also can establish both sides The case where neighborhood, occurs, and authenticates incomplete problem to overcome when LA Management Room neighbours establish, improves network Equipment room establishes security reliability when neighbours.

Example IV

Based on the method that a kind of neighbours disclosed in the embodiment of the present invention establish, in the step S301 shown in Fig. 4, the first net Network equipment sends HELLO message to second network equipment by the first one way link；Whether carried in the HELLO message useful In authenticate the first authentication information TLV of the first network equipment and the first network equipment whether carry out enabling certification it is related Connection specifically includes following situation when first network equipment sends HELLO message to second network equipment:

The first situation, in the case where the first network equipment is not enabled on certification, the first network equipment is to institute It states second network equipment and sends the HELLO message for not carrying the first authentication information TLV for authenticating the first network equipment；

Second situation, in the case where the first network equipment enabled certification, the first network equipment will be enabled The information of certification is filled into the first authentication information TLV, and so that the HELLO message is carried this and be used to authenticate described first First authentication information TLV of the network equipment.The first network equipment will carry and be used to authenticate the of the first network equipment The HELLO message of one authentication information TLV is sent to second network equipment by the first one way link.

Based on the method that a kind of neighbours disclosed in the embodiment of the present invention one establish, in the step S302 shown in Fig. 4, if In the case where the enabled certification of second network equipment, second network equipment passes through described in the reception of the first one way link HELLO message is simultaneously authenticated, and when certification passes through, second network equipment passes through the second one way link to the first network Equipment sends the UDL LSP message of extension, and the UDL LSP message of the extension is for HELLO message described in response.Wherein, institute The UDL LSP message for stating extension carries the second authentication information for authenticating second network equipment, when certification does not pass through, then Abandon the HELLO message.

In the case where second network equipment enabled certification, second network equipment is to the first network equipment The UDL LSP message of extension is sent, the UDL LSP message of the extension is used for HELLO message described in response, the extension UDL LSP message carries the second authentication information SUB-TLV for authenticating second network equipment, needs exist for explanation It is to add the mode of the second authentication information SUB-TLV in second network equipment to be divided into two kinds, including in plain text and ciphertext.

It wherein, is then that the information of enabled certification is filled directly into the second authentication information SUB using clear-text way In TLV, and the second authentication information SUB TLV is added in UDL TLV；Using ciphertext addition by the way of are as follows: be then by The information (if necessary to calculate Receive message secret value, then only calculating the secret value of UDL TLV) for enabling certification is filled to described In second authentication information SUB TLV, then the SUB TLV is added in UDL TLV, makes the UDL for carrying the UDL TLV The second authentication information SUB-TLV for authenticating second network equipment is added in LSP message simultaneously, constitutes the UDL of extension LSP message.

Second network equipment utilizes the second authentication information SUB carried for authenticating second network equipment HELLO message described in the UDL LSP message response of the extension of TLV.It should be noted that recognizing in the embodiment of the present invention about addition There are many modes for demonstrate,proving information, is not limited in above content, can also use MD5, the mode of the encryptions such as keychain, by base It is added in the second authentication information SUB TLV in the information that entire UDL TLV calculates the enabled certification got.

Wherein, in the specific application process, the second authentication information SUB TLV includes: recognizing for radio network or Peer-to-Peer Network P2P Card information SUB-TLV is defined as follows:

The format of the authentication information SUB-TLV of radio network is as shown in figure 5, successively include following field: length is a word It saves in the field of stored messages type Type, length is the field that a bit byte is used for stored messages length Length, length It is used to store the field that local expanded circuit identifies Extended Local Circuit ID for nib, length is one Field of the byte for authentication storage type Authentication Type is used for authentication storage information with space is reserved with The field of Authentication Value；

The format of the authentication information SUB-TLV of Peer-to-Peer Network P2P is as shown in fig. 6, successively include following field: length one Bit byte is used for the field of stored messages type Type, and length is the field that a bit byte is used for stored messages length Length, Length is used to store the field of neighbours link identification Neighbor LAN ID, length for the summation of identification length and a bit byte For the field of authentication storage type Authentication Type and space is reserved with for authentication storage letter for a bit byte Cease the field of Authentication Value.

It should be noted that the authentication information SUB-TLV of the above-mentioned radio network and authentication information SUB- of Peer-to-Peer Network P2P Byte number shared by each field in TLV, and it is only limitted to the example that the embodiments of the present invention provide, byte shared by each field Number can carry out other and distribute and be not fixed.

It is set into the embodiment of the present application three about second network equipment and first network for the embodiments of the present invention one It is standby whether to enable certification, and corresponding first network equipment and second network equipment according to respectively different enabled certifications Various treatment processes performed by situation, a kind of method that neighbours establish disclosed in the embodiment of the present invention, by following example, Respective implementation procedure in the case where authenticating difference is enabled with second network equipment according to above-mentioned first network equipment, is carried out into one The explanation of step.

Example one

In the case where the enabled certification of the first network equipment and second network equipment, first network equipment with Neighbours' establishment process between second network equipment is as shown in fig. 7, mainly comprise the steps that

Step S401, the first network equipment send to carry and use by the first one way link to second network equipment In the HELLO message for the first authentication information TLV for authenticating the first network equipment；

First one way link is from the first network equipment to the direct connected link of second network equipment；

Step S402, second network equipment are described for authenticating by first one way link reception carrying The HELLO message of first authentication information TLV of first network equipment is simultaneously authenticated, and when certification passes through, second network is set The standby UDL LSP message for sending extension to the first network equipment by the second one way link, the UDL LSP report of the extension Text carries the second authentication information SUB TLV for authenticating second network equipment, when certification does not pass through, then described in discarding HELLO message；

Second one way link is from second network equipment to the non-straight connected link of the first network equipment；

During executing step S402, second network equipment is carried by the reception of the first one way link for authenticating The HELLO message of first authentication information TLV of the first network equipment is authenticated, and verification process is to extract described first to recognize Card information TLV the HELLO message is integrally authenticated, when certification be it is legal, confirmation certification passes through；It is illegal when authenticating, then Confirmation certification does not pass through, then does not establish the neighborhood between the first network equipment.

After certification passes through, second network equipment, which is sent by the second one way link to the first network equipment, to be expanded The UDL LSP message of the one way link UDL link state packet LSP message of exhibition, the extension is used for HELLO message described in response, The UDL LSP message of the extension carries the second authentication information for authenticating second network equipment.

It should be noted that first network equipment is enabled certification in this example, but it is also existing there is also camouflage Authentication information, at this time can not be by the certification to entire HELLO message, therefore, in the second network using the authentication information of camouflage In the case where the enabled certification of equipment, still need to abandon the HELLO message, the embodiment of the present invention is not described further this.This hair Bright embodiment pays close attention to first network equipment and second network equipment is the case where correctly enabling certification.

Step S403, the first network equipment receive described carry for authenticating described the by the second one way link The UDL LSP message of the extension of second authentication information SUB-TLV of two network equipments is simultaneously authenticated, and is recognized when certification is legal Card passes through, and the first network equipment establishes the neighborhood between second network equipment.

During executing step S403, the first network equipment is extracted to be taken in the UDL LSP message of the extension The UDL TLV of band, using the second authentication information SUB TLV added in the UDL TLV to the entire UDL TLV is authenticated, in the case where the first network equipment and second network equipment enable certification, if certification is logical It crosses, the first network equipment establishes the neighborhood between second network equipment.

The method that neighbours disclosed in the example one establish, in the first network equipment and second network equipment In the case where enabled certification, corresponding authentication information is added in the message sent mutually, when second network equipment passes through the One one way link receives carrying and goes forward side by side for authenticating the HELLO message of the first authentication information TLV of the first network equipment Row certification, when certification passes through, using the extension carried for authenticating the second authentication information SUB TLV of second network equipment The UDL LSP message response HELLO message；It was interacted in first network equipment with what second network equipment was mutually shaken hands Cheng Zhong is authenticated in the UDL LSP message for the extension that first network equipment interconnection receives, when authentication result is first net Network equipment and second network equipment enable certification and certification passes through, and establish the first network equipment and described second The neighborhood of the network equipment.

By the above method disclosed in the example, certification is all enabled in both sides, is carried by the UDL LSP message of extension For authenticating the second authentication information SUB TLV of second network equipment, after certification passes through, first network equipment and the is established The neighborhood of two network equipments can avoid only one end certification by can also be in the case where both ends enable certification The case where establishing both sides' neighborhood appearance authenticates incomplete problem to overcome when LA Management Room neighbours establish, mentions High LA Management Room establishes security reliability when neighbours.

Example two

In the case where enabled certification second network equipment of the first network equipment is not enabled on certification, the first net Neighbours' establishment process between network equipment and second network equipment is as shown in figure 8, mainly comprise the steps that

Step S501, the first network equipment send to carry and use by the first one way link to second network equipment In the HELLO message for the first authentication information TLV for authenticating the first network equipment；

Step S502, second network equipment receive the carrying for authenticating described first by the first one way link The HELLO message of first authentication information TLV of the network equipment, and sent by the second one way link to the first network equipment UDL LSP message does not carry the second authentication information for authenticating second network equipment in the UDL LSP message；

In step S502, because of the not enabled certification of second network equipment, sent in response first network equipment Carrying for authenticating the HELLO message of the first authentication information TLV of the first network equipment when, by UDL TLV The second authentication information SUB-TLV for authenticating second network equipment is not added, and does not extend UDL LSP message.Also It is the second authentication information SUB TLV being not added in the UDLLSP message said at this time for authenticating second network equipment.

Step S503, the first network equipment by the second one way link receive it is described do not carry it is described for authenticating The UDL LSP message of second authentication information SUB TLV of second network equipment is authenticated, and is not examining the UDL In the case where carrying the second authentication information for authenticating second network equipment in LSP message, do not establish and described second Neighborhood between the network equipment.

During executing step S503, first network equipment receives the UDL LSP by the second one way link Message confirms and is not added in the UDL TLV of UDL LSP message carrying for authenticating second network equipment in verification process The second authentication information SUB TLV, i.e., it is believed that being not added with second for authenticating second network equipment in the UDL LSP message Authentication information SUB TLV, to guarantee safety, first network equipment does not carry out building for neighborhood with second network equipment at this time It is vertical.

In the example disclosed by the invention, in the interaction that first network equipment and second network equipment are mutually shaken hands In the process, it is authenticated in the UDL LSP message for response HELLO message that first network equipment interconnection receives, works as confirmation Second network equipment is not enabled on certification, is at this time the safety for guaranteeing network, first network equipment is not set with second network It is standby to establish neighborhood.Thereby it is ensured that only one end is not by establishing both sides' neighborhood when enabled certification, to overcome network Equipment room neighbours authenticate incomplete problem when establishing, improve security reliability when LA Management Room establishes neighbours.

Example three

In the case where the first network equipment is not enabled on the enabled certification of certification second network equipment, the first net Neighbours between network equipment and second network equipment establish as shown in figure 9, mainly comprising the steps that

Step S601, the first network equipment are not carried by the first one way link to second network equipment transmission For authenticating the HELLO message of the first authentication information TLV of the first network equipment；

During executing step S601, since first network equipment is not enabled on certification, the first network equipment at this time When sending HELLO message to second network equipment by the first one way link, do not carried in the HELLO message described for authenticating First authentication information TLV of first network equipment.

Step S602, second network equipment receive the first network equipment by the first one way link and send not It carries for authenticating the HELLO message of the first authentication information TLV of the first network equipment and being authenticated, when not extracting First authentication information TLV, confirmation certification do not pass through, and second network equipment abandons described do not carry for authenticating described first The HELLO message of first authentication information TLV of the network equipment, does not establish the neighborhood between the first network equipment.

During executing step S602, it is not carry certification that second network equipment is received by the first one way link The HELLO message of first authentication information TLV of the first network equipment, at this time authenticates it, because that cannot extract One authentication information TLV, therefore authentification failure, confirmation certification do not pass through.But due to the enabled certification of second network equipment, at this time Know that one end is not enabled on certification, the enabled certification in one end can not then establish neighborhood.Therefore, second network equipment abandons institute The HELLO message for not carrying the first authentication information TLV for authenticating the first network equipment is stated, is not established and described first Neighborhood between the network equipment.

Example four

In the case where the first network equipment and second network equipment are not enabled on certification, first network equipment Neighbours' establishment process between second network equipment are as follows: in the case where first network equipment is not enabled on certification, described first The network equipment is not carried to second network equipment transmission for authenticating the first network equipment by the first one way link The first authentication information TLV HELLO message；In the case where second network equipment is not enabled on certification, second net Network equipment receives the first authentication information TLV not carried for authenticating the first network equipment by the first one way link HELLO message utilize the second certification letter not carried for authenticating second network equipment and by the second one way link Cease HELLO message described in the UDL LSP message response of SUB TLV；The first network equipment is unidirectional by described second Link receives the UDL LSP message for not carrying the second authentication information SUB TLV for authenticating second network equipment Afterwards, then the neighborhood of the first network equipment Yu second network equipment is established.

Example disclosure of that of the present invention is the feelings that first network equipment and second network equipment are not enabled on certification Condition, because not being involved in the problems, such as certification, both ends can establish neighborhood as a result,.

The method that the neighbours in conjunction with disclosed in the embodiments of the present invention and each example of the present invention establish is, it is specified that when neighbours are double In the case where behavior when just entering one way link UDL scene, pass through first network equipment and the enabled certification of second network equipment The case where, add corresponding authentication information in the message sent mutually, first network equipment is by the first one way link to the Two network equipments send the HELLO message carried for authenticating the first authentication information TLV of first network equipment, and the second network is set It is standby that the UDL LSP message extended is sent to the first network equipment by the second one way link, it is carried in the UDL LSP message For authenticating the second authentication information SUB-TLV of second network equipment, first network equipment and second network equipment into In the interactive process that row is mutually shaken hands, after first network equipment receives the UDL LSP message of the extension, authenticated, when Authentication result is that the first network equipment and second network equipment enable certification and certification passes through, and establishes described the The neighborhood of one network equipment and second network equipment.

Disclosed this kind of method through the embodiment of the present invention, can be avoided and enable certification in both-end, only one end Certification is authenticated not when LA Management Room neighbours establish by the case where also can establish both sides' neighborhood appearance to overcome Complete problem improves security reliability when LA Management Room establishes neighbours.

Based on the method that a kind of neighbours disclosed in the embodiments of the present invention establish, the present invention is corresponding to be also disclosed using upper The network equipment for stating the method that neighbours establish into embodiment three of the embodiment of the present invention one, is used particularly as first network equipment, the Two network equipments, and the system established with the neighbours of the first network equipment and second network equipment, the system are based on upper The neighbours that the method that neighbours disclosed by the embodiments of the present invention establish is established between first network equipment and second network equipment are stated to close System, detailed process following embodiment are illustrated.

Embodiment five

Based on the embodiments of the present invention one, correspondence of the embodiment of the present invention discloses a kind of network equipment, is used as the first net Network equipment, specifically includes that

Wherein, according to the enabled certification of first network equipment and second network equipment the case where, following situation can be divided into.

In the communication unit, receives the carrying that second network equipment is sent and set for authenticating second network In the case where the extension UDL LSP message of the second standby authentication information SUB TLV:

The processor, carry in the UDL LSP message for extracting the extension for authenticating second network Second authentication information SUB TLV of equipment is authenticated；When certification be it is legal, obtain the first network equipment and described second The network equipment enables the authentication result that certification and certification pass through.

If in communication unit, for receiving the unidirectional chain from second network equipment by second one way link Road UDL link state packet LSP message, the UDL LSP message is for HELLO message described in response, and the UDL LSP message is not In the case where carrying the second authentication information for authenticating second network equipment:

Wherein, first one way link is from first network equipment to the direct connected link of second network equipment, institute Stating the second one way link is from second network equipment to the non-straight connected link of the first network equipment.

Based on the embodiments of the present invention two, correspondence of the embodiment of the present invention discloses a kind of network equipment, is used as the second net Network equipment, specifically includes that

Second processor is used in the case where second network equipment enabled certification, described for authenticating to carrying The HELLO message of first authentication information of first network equipment is authenticated, and when certification passes through, passes through the second one way link The one way link UDL link state packet LSP message of extension, the UDL LSP report of the extension are sent to the first network equipment For text for HELLO message described in response, the UDL LSP message of the extension carries for authenticating second network equipment Two authentication informations execute the certification to the UDL LSP message of the extension by the first network equipment, and are in authentication result In the case that the first network equipment and second network equipment enable certification and certification passes through, establish and described the Neighborhood between one network equipment；

Wherein, whether certification is enabled according to first network equipment and second network equipment and whether certification passes through, had as follows Situation.

It is not enabled on certification in second network equipment, and described for receiving the first network equipment transmission The communication unit of HELLO message receives and carries the first authentication information TLV's for authenticating the first network equipment In the case where HELLO message:

Described for receiving the communication unit for the HELLO message that the first network equipment is sent, receive carrying and use It is described to be used for the HELLO message simultaneously in the HELLO message for the first authentication information TLV for authenticating the first network equipment The processor authenticated, in the case where the first network equipment enabled certification, comprising:

Described for receiving the second communication unit of the HELLO message that the first network equipment is sent, receive not The HELLO message for authenticating the first authentication information TLV of the first network equipment is carried, it is described for the HELLO Message and the processor authenticated, in the case where the first network equipment is not enabled on certification, further includes:

It is enabled in second network equipment when certification passes through described for the HELLO message and authenticating In the case where certification, the one way link UDL link shape of extension is sent to the first network equipment by the second one way link State packet LSP message, the UDL LSP message of the extension is for HELLO message described in response, the UDL LSP message of the extension Carry the processor for authenticating the second authentication information of second network equipment, comprising:

It should be noted that the embodiment of the present invention one disclosed above is into the embodiment of the present invention five, first network equipment Information is sent to second network equipment by the first one way link, second network equipment passes through the second one way link to first network Equipment sends information；First one way link is from the first network equipment to the direct-connected chain of second network equipment Road, second one way link are from second network equipment to the non-straight connected link of the first network equipment.

Embodiment six

The system that a kind of neighbours disclosed by the embodiments of the present invention establish specifically includes that disclosed above the as shown in Figure 10 One network equipment (is identified as IS-T) in Figure 10, second network equipment (IS-R is identified as in Figure 10) and connection first net The physical link of network equipment and second network equipment, the physical link include being directed toward the second network from first network equipment First one way link of equipment, and, from second network equipment be directed toward first network equipment the second one way link, described first One way link is direct connected link, and second one way link is non-straight connected link.Physical link R3, R4, R5 in Figure 10 are constituted The second one way link of first network equipment is directed toward from second network equipment.

The first network equipment, for sending HELLO message to second network equipment by the first one way link, Whether authentication information TLV and the first network for authenticate the first network equipment is carried in the HELLO message Whether equipment enables that certification is associated, and receive that second network equipment sends for HELLO message described in response Extension UDL LSP message, and authenticated, when authentication result is the first network equipment and second network equipment It enables certification and certification passes through, establish the neighborhood of the first network equipment Yu second network equipment；

Second network equipment is used in the case where second network equipment enabled certification, described to receiving The HELLO message that first network equipment is sent is authenticated, when certification passes through, described in the UDL LSP message response by extension HELLO message carries the second authentication information SUB- for authenticating second network equipment in the UDL LSP message of the extension TLV does not pass through when authenticating, then abandons the HELLO message.

In conclusion the method and system that neighbours disclosed by the embodiments of the present invention establish, according to first network equipment and the Two network equipments enable the case where certification, and corresponding certification letter is added in the message sent by different one way links mutually Breath, can be avoided both-end and enables certification, and only one end certification passes through the case where also can establish both sides' neighborhood appearance, from And the incomplete problem that authenticates when LA Management Room neighbours establish is overcome, improve safety when LA Management Room establishes neighbours Reliability.

Each embodiment is described in a progressive manner in description of the invention, the highlights of each of the examples are with The difference of other embodiments, the same or similar parts in each embodiment may refer to each other.For disclosed in embodiment For device, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method portion It defends oneself bright.The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly use hardware, processing The combination of software module or the two that device executes is implemented.Software module can be placed in random access memory (RAM), memory, only Read memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or In any other form of storage medium well known in technical field.

The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be apparent for those skilled in the art.

Claims

1. a kind of method that neighbours establish, which is characterized in that this method comprises:

First network equipment sends HELLO message to second network equipment by the first one way link, takes in the HELLO message Band is from the first network equipment for authenticating the first authentication information of the first network equipment, first one way link To the direct connected link of second network equipment；

In the case where second network equipment enabled certification, the first network equipment by the second one way link receive come From the one way link UDL link state packet LSP message of the extension of second network equipment, the UDL LSP message of the extension For HELLO message described in response, the UDL LSP message of the extension carries second for authenticating second network equipment Authentication information, second one way link are from second network equipment to the non-straight connected link of the first network equipment；

The first network equipment executes the certification to the UDL LSP message of the extension, when authentication result is first net Network equipment and second network equipment enable certification and certification passes through, and the first network equipment is established and described second Neighborhood between the network equipment.

2. the method according to claim 1, wherein the first network equipment executes the UDL to the extension The certification of LSP message, comprising:

The first network equipment extract carried in the UDL LSP message of the extension for authenticating second network equipment The second authentication information authenticated；When certification be it is legal, obtain the first network equipment and second network equipment be equal Enable the authentication result that certification and certification pass through.

3. the method according to claim 1, wherein the first network equipment is by the first one way link to the Two network equipments are sent after HELLO message, further includes:

In the case where second network equipment is not enabled on certification, the first network equipment passes through second one way link The one way link UDL link state packet LSP message from second network equipment is received, the UDL LSP message is for answering The HELLO message is answered, the UDL LSP message does not carry the second authentication information for authenticating second network equipment, Second one way link is from second network equipment to the non-straight connected link of the first network equipment；First net Network equipment executes certification to the UDL LSP message, when do not examine carried in the UDL LSP message it is described for authenticating When the second authentication information of second network equipment, the neighborhood between second network equipment is not established.

4. method according to claim 1 or 2, which is characterized in that described for authenticating the of second network equipment Two authentication informations include: the authentication information of radio network or the authentication information of Peer-to-Peer Network P2P；

The authentication information of the radio network includes: the type field for stored messages type Type, is used for stored messages length The Length field of Length, for storing local expanded circuit mark Extended Local Circuit ID's Extended Local Circuit id field, for authentication storage type Authentication Type's Authentication the type field and Authentication for authentication storage information Authentication Value Value field；

The format of the authentication information of the P2P successively includes following field: for the type field of stored messages type Type, being used In the Length field of stored messages length Length, for storing neighbours link identification Neighbor LAN ID's Neighbor LAN id field, the Authentication Type for authentication storage type Authentication Type Field and Authentication Value field for authentication storage information Authentication Value.

5. a kind of network equipment is used as first network equipment characterized by comprising

Communication unit, for sending HELLO message to second network equipment by the first one way link, in the HELLO message The first authentication information for authenticating first network equipment is carried, and in second network equipment enabled the case where authenticating Under, the link state packet LSP of the one way link UDL of the extension from second network equipment is received by the second one way link Message, for HELLO message described in response, the UDL LSP message carrying of the extension is used for the UDL LSP message of the extension Authenticate the second authentication information of second network equipment, first one way link is from first network equipment to described second The direct connected link of the network equipment, second one way link are from second network equipment to the non-of the first network equipment Direct connected link；

Processor, for executing the certification to the UDL LSP message of the extension, when authentication result is the first network equipment Certification is enabled with second network equipment and certification passes through, and is established the first network equipment and is set with second network Standby neighborhood.

6. the network equipment according to claim 5, which is characterized in that the UDL LSP for executing to the extension The processor of the certification of message, comprising:

The processor, carry in the UDL LSP message for extracting the extension for authenticating second network equipment The second authentication information authenticated；When certification be it is legal, obtain the first network equipment and second network equipment be equal Enable the authentication result that certification and certification pass through.

7. the network equipment according to claim 5, which is characterized in that be not enabled on the feelings of certification in second network equipment Under condition, further includes:

The communication unit, for receiving the one way link from second network equipment by second one way link UDL link state packet LSP message, the UDL LSP message are not taken for HELLO message described in response, the UDL LSP message Band is from second network equipment for authenticating the second authentication information of second network equipment, second one way link To the non-straight connected link of the first network equipment；

The processor is taken for executing the certification to the UDL LSP message when not examining in the UDL LSP message When with the second authentication information for authenticating second network equipment, the neighbour between second network equipment is not established Occupy relationship.

8. a kind of method that neighbours establish, which is characterized in that this method comprises:

Second network equipment receives the HELLO message from first network equipment, the HELLO message by the first one way link Middle the first authentication information carried for authenticating the first network equipment, first one way link are from the first network Direct connected link of the equipment to second network equipment；

In the case where second network equipment enabled certification, second network equipment is connect by first one way link It receives the HELLO message and is authenticated, when certification passes through, sent and expanded to the first network equipment by the second one way link The UDL LSP message of the one way link UDL link state packet LSP message of exhibition, the extension is used for HELLO message described in response, The UDL LSP message of the extension carries the second authentication information for authenticating second network equipment, by first net Network equipment executes the certification to the UDL LSP message of the extension, and is the first network equipment and described in authentication result In the case that second network equipment enables certification and certification passes through, the neighbours established between the first network equipment are closed System；Second one way link is from second network equipment to the non-straight connected link of the first network equipment.

9. according to the method described in claim 8, it is characterized by further comprising:

In the case where second network equipment is not enabled on certification, second network equipment passes through second one way link One way link UDL link state packet LSP message is sent to the first network equipment, does not carry use in the UDL LSP message In the second authentication information for authenticating second network equipment, executed by the first network equipment to the UDL LSP message Certification, and the first network equipment do not examine in the UDL LSP message carry for authenticating second network In the case where second authentication information of equipment, the neighborhood between the first network equipment is not established.

10. according to the method described in claim 8, it is characterized in that, in the case where second network equipment enabled certification, Second network equipment receives the HELLO message by first one way link and is authenticated, comprising:

Second network equipment receives the carrying for authenticating the first network equipment by first one way link The first authentication information HELLO message, extract first authentication information and the HELLO message authenticated；

When certification be it is legal, confirmation certification passes through；

It is illegal when authenticating, then confirm that certification does not pass through, does not then establish the neighborhood between the first network equipment.

11. according to the method described in claim 8, it is characterized in that, enabling to authenticate in second network equipment, described first In the case that the network equipment is not enabled on certification, further includes:

Second network equipment is not carried by what the first one way link received that the first network equipment sends for authenticating The HELLO message of first authentication information of the first network equipment simultaneously authenticates, when not extracting first authentication information, Confirmation certification does not pass through, abandons the HELLO message.

12. according to the method described in claim 8, it is characterized in that, second one way link that passes through is to the first network Equipment sends the one way link UDL link state packet LSP message of extension, and the UDL LSP message of the extension is for described in response HELLO message, the UDL LSP message of the extension carry the second authentication information for authenticating second network equipment, packet It includes:

Second authentication information is added in the UDL LSP message of the extension by second network equipment, and passes through institute State the UDL LSP message that the second one way link sends the extension to the first network equipment；

Or, second authentication information is added to the UDL LSP of the extension by second network equipment using cipher mode In message, and the UDL LSP message of the extension is sent by second one way link to the first network equipment.

13. the method according to any one of claim 8~12, which is characterized in that the of second network equipment Two authentication informations include: the authentication information of radio network or the authentication information of Peer-to-Peer Network P2P；

The format of the authentication information of the P2P successively includes following field: for the type field of stored messages type Type, being used In the Length field of stored messages length Length, for storing neighbours link identification Neighbor LAN ID's Neighbor LAN id field, the Authentication Type for authentication storage type Authentication Type Field and Authentication the type field for authentication storage information Authentication Value.

14. a kind of network equipment is used as second network equipment characterized by comprising

Communication unit, for receiving the HELLO message from first network equipment, the HELLO report by the first one way link The first authentication information for authenticating the first network equipment is carried in text, first one way link is from first net Direct connected link of the network equipment to second network equipment；

Processor is used in the case where second network equipment enabled certification, to carrying for authenticating the first network The HELLO message of first authentication information of equipment is authenticated, when certification passes through, by the second one way link to described One network equipment sends the one way link UDL link state packet LSP message of extension, and the UDL LSP message of the extension is for answering The HELLO message is answered, the UDL LSP message of the extension carries the second certification letter for authenticating second network equipment Breath executes the certification to the UDL LSP message of the extension by the first network equipment, and is described first in authentication result In the case that the network equipment and second network equipment enable certification and certification passes through, foundation is set with the first network Neighborhood between standby；Second one way link is from second network equipment to the non-straight of the first network equipment Connected link.

15. the network equipment according to claim 14, which is characterized in that be not enabled on certification in second network equipment In the case of, further includes:

The processor, for sending one way link UDL link to the first network equipment by second one way link State packet LSP message does not carry the second authentication information for authenticating second network equipment in the UDL LSP message, Certification to the UDL LSP message is executed by the first network equipment, and does not examine institute in the first network equipment It states in the case where carrying the second authentication information for authenticating second network equipment in UDL LSP message, does not establish and institute State the neighborhood between first network equipment.

16. the network equipment according to claim 14, which is characterized in that described to be used for carrying for authenticating described first The processor that the HELLO message of first authentication information of the network equipment is authenticated, comprising:

The processor, for extracting the HELLO message carried for authenticating the first authentication information of the first network equipment In first authentication information, the HELLO message is authenticated using first authentication information；When certification is conjunction Method, confirmation certification pass through；It is illegal when authenticating, then confirm that certification does not pass through, does not then establish between the first network equipment Neighborhood.

17. the network equipment according to claim 14, which is characterized in that in the enabled certification of second network equipment, institute It states in the case that first network equipment is not enabled on certification, further includes:

The communication unit, for receiving the HELLO message that the first network equipment is sent by first one way link, The first authentication information for authenticating the first net equipment is not carried in the HELLO message, first one way link is From the first network equipment to the direct connected link of second network equipment；

The processor, for the HELLO message for not carrying the first authentication information for authenticating the first network equipment It is authenticated, when not extracting first authentication information, confirmation certification does not pass through, abandons the HELLO message.

18. the network equipment according to claim 14, which is characterized in that second one way link that passes through is to described first The network equipment sends the one way link UDL link state packet LSP message of extension, and the UDL LSP message of the extension is used for response The HELLO message, the UDL LSP message of the extension carry the second authentication information for authenticating second network equipment Processor, comprising:

The processor, for being added to second authentication information in the UDL LSP message of the extension, and by described Second one way link sends the UDL LSP message of the extension to the first network equipment, or, by second authentication information It is added in the UDL LSP message of the extension using cipher mode, and passes through second one way link to first net Network equipment sends the UDL LSP message of the extension.

19. the system that a kind of neighbours establish, which is characterized in that the system includes:

It is used as the network equipment of first network equipment described in any one of claim 5~7, appoints in claim 14~18 It is used as the network equipment of second network equipment described in meaning one, and connects the first network equipment and second network The physical link of equipment, the physical link include first unidirectional from the first network equipment to second network equipment Link, and, from second network equipment to the second one way link of the first network equipment, first one way link For direct connected link, second one way link is non-straight connected link.